AnsweredAssumed Answered

I setup a telnet/ssh honeypot and found a botnet what do I do next?

Question asked by djcanadianjeff on Oct 24, 2013
Latest reply on Oct 24, 2013 by kevinds

I got tired of playing video games one breezy afternoon that I decided to setup on honeypot on my router

 

infected machines connected to me constantly so I ran nmap scan of infected machine and found out

telnet was open and that default USER/PASS of "root"/"admin" allowed me to login

 

I wanted to see what was running on the infect machine so I took a look and saw several strange things running from /var/run

which is usually a folder for running programs to store their PID

 

wanted to see what connections were established so I ran good ol' NETSTAT -NTUW

saw hundreds of connections to telnet to other ip address

 

one of the connections was to port 8000 of a remote host so I did a nice NMAP scan of that port and saw a IRC daemon running on that port

so I connected up to it and found out it was password protected, so I killed the malware on the infected host with the KILLALL command

 

compiled a copy of tcpdump (packet capture) to run on the infected machine

ran tcpdump and started up the malware again waited 60 seconds killed the malware

 

sent the tcpdump pcap over to me and saw the IRC password and channel password in plaintext connected up joined the channel

sat in the channel for 5min and saw this!!!!!!!!!!!!!!!

 

http://i.imgur.com/eJMvQFF.png

Outcomes